CVE-2025-40908

NameCVE-2025-40908
DescriptionYAML-LibYAML prior to 0.903.0 for Perl uses 2-args open, allowing existing files to be modified
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libyaml-libyaml-perl (PTS)bullseye0.82+repack-1vulnerable
bookworm0.86+ds-1vulnerable
sid, trixie0.903.0+ds-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libyaml-libyaml-perlsource(unstable)0.903.0+ds-1

Notes

[bookworm] - libyaml-libyaml-perl <no-dsa> (Minor issue)
https://lists.security.metacpan.org/cve-announce/msg/30071726/
https://github.com/ingydotnet/yaml-libyaml-pm/issues/120
https://github.com/ingydotnet/yaml-libyaml-pm/pull/121
Fixed by: https://github.com/ingydotnet/yaml-libyaml-pm/commit/5fe9daed726c06900c3cd41a739460057bec6dc3 (v0.903.0)
https://github.com/ingydotnet/yaml-libyaml-pm/pull/122

Search for package or bug name: Reporting problems